Supabase can use anonymized and aggregated data derived from your data and usage to improve and analyze its services, and this derived data is treated as Supabase's own intellectual property.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Even though Supabase does not claim ownership of your raw customer data, it retains rights to insights and analytics derived from that data, which is a common but material practice in cloud service agreements that customers should factor into their own privacy disclosures.
Interpretive note: The adequacy of anonymization is not defined in the agreement; whether derived data meets GDPR or CCPA deidentification standards depends on implementation details not disclosed in this document.
The relocation of Supabase's legal entity from Delaware to Singapore may affect which jurisdiction's courts and laws apply to disputes, potentially impacting your ability to pursue claims in US courts and changing which consumer protection laws govern your relationship. The requirement to explicitly click 'I Accept' rather than accepting through sign-up or service use clarifies consent but does not substantively change the agreement's terms. The new section on AI-powered tools discloses that Supabase may use AI chatbots for customer support; review that section to understand how such tools may process your inquiries.
View change record →Data about how you and your users interact with Supabase's platform can be aggregated and used by Supabase indefinitely as its own intellectual property, even after your subscription ends. Customers with strict data minimization obligations under GDPR or sector-specific regulations should assess whether this derivation is disclosed in their own privacy notices.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
""Aggregated Data" means data and information related to or derived from Customer Data or Customer's use of the Services that is used by Supabase in an aggregate and anonymized manner, including to compile statistical and performance information related to the Services. [...] "Supabase IP" means the Services, the Documentation, and any and all intellectual property provided to Customer or any Authorized User in connection with the foregoing. For the avoidance of doubt, Supabase IP includes Aggregated Data and any information, data, or other content derived from Supabase's provision of the Services but does not include Customer Data.— Excerpt from Supabase's Supabase Terms of Service
REGULATORY LANDSCAPE: The Aggregated Data provision implicates GDPR Article 5 (data minimization and purpose limitation) and Recital 26 (anonymization standards), as well as CCPA definitions of deidentified data. The adequacy of Supabase's anonymization methodology is not described in this agreement; customers acting as data controllers bear responsibility for ensuring downstream processing by processors meets applicable standards. The DPA referenced in the agreement should address this processing basis. GOVERNANCE EXPOSURE: Medium. Classifying derived data as Supabase IP is standard in cloud service agreements, but the scope of 'derived from Customer Data' is broad and could encompass behavioral patterns, query structures, or usage metrics that indirectly reveal customer or end-user information if re-identification risk is not adequately managed. JURISDICTION FLAGS: GDPR's standard for anonymization is high; data that fails the anonymization test under GDPR remains personal data subject to full regulatory obligations. California's CCPA defines deidentified data with specific technical and contractual safeguards. Healthcare customers subject to HIPAA should assess whether derived data could constitute de-identified PHI under the Safe Harbor or Expert Determination methods. CONTRACT AND VENDOR IMPLICATIONS: The DPA should be reviewed to confirm whether Aggregated Data processing is addressed as a permitted purpose or reserved right, and whether customers receive any transparency about how aggregation and anonymization are implemented technically. The IP classification of Aggregated Data means customers cannot later claim ownership or seek deletion of this derived data. COMPLIANCE CONSIDERATIONS: Customers should update their own privacy notices to disclose that their cloud service provider may derive aggregated analytics from their data; review the DPA for anonymization standards and audit rights; and assess whether the Aggregated Data carve-out is compatible with their data processing agreements with their own customers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Even though Supabase does not claim ownership of your raw customer data, it retains rights to insights and analytics derived from that data, which is a common but material practice in cloud service agreements that customers should factor into their own privacy disclosures.
Data about how you and your users interact with Supabase's platform can be aggregated and used by Supabase indefinitely as its own intellectual property, even after your subscription ends. Customers with strict data minimization obligations under GDPR or sector-specific regulations should assess whether this derivation is disclosed in their own privacy notices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.